SB2025031227 - Multiple vulnerabilities in IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025031227

SB2025031227 - Multiple vulnerabilities in IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component

Published: March 12, 2025

Security Bulletin ID SB2025031227
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-7348)

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to a race condition when executing concurrent pg_dump sessions. A remote user with privileges to create and drop non-temporary objects can execute arbitrary SQL commands with the privileges of the role running pg_dump (which is often a superuser).


2) Missing Authorization (CVE-ID: CVE-2024-4317)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. A remote user can read most common values and other statistics from CREATE STATISTICS commands of other users.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-39418)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the MERGE command does not properly enforce UPDATE or SELECT row security policies. A remote user can read or update protected data.


Remediation

Install update from vendor's website.

References